This document discusses how to create targeted threat intelligence feeds for a specific industry. It recommends researching advanced persistent threat (APT) groups that target the industry and mapping their tactics and techniques using MITRE ATT&CK. Highest scoring techniques are identified and log sources examined to determine gaps. Tags for the techniques are searched in MISP to produce a weighted threat feed, which can be enriched and exported to a security information and event management (SIEM) system. Automation using APIs and code is also suggested.

1. CREATING APT TARGETED THREAT FEEDS
FOR YOUR INDUSTRY

2. Circle City Con 7.0 Apocalypse

4. Defensive Pizza
Environmental Intelligence connects
the other intelligences together.
Curated intelligence feeds ( global
and community) enrich detection.
Proactive Intelligence gives a targeted
and actionable defense.
Crust
Sauce
Toppings

5. Advanced
Persistent
Threats

6. Image: CrowdStrike

7. You have around 20 minutes to
contain a Russian APT attack
https://www.zdnet.com/article/you-have-around-20-minutes-to-contain-a-russian-apt-attack/

8. • MITRE ATT&CK is a knowledge base of adversary
tactics and techniques based on real-world
observations.
• Tactics are what attackers are trying to achieve.
• A technique is a specific behavior to achieve a goal
and is often a single step in a string of activities
employed to complete the attacker’s overall mission.

15. https://attack.mitre.org/beta/groups/
• Select the APT groups that target your industry.

16. 11 11
3
8
5 5
7
3
8
Financial Defense NGO Healthcare Education Aviation Energy Retail Technology
Targeted Industries

18. • Research APT groups that target your industry.
• Make a heat map using MITRE ATT&CK tools to see which techniques
were most likely.
• A single color may work better than stop light protocol colors.
• Assign scores to each APT group and layer them.
• Place focus on the beginning of the kill chain before persistence.
• Identify log sources of the highest scoring techniques.
• Examine log sources to see what gaps are present.
• Search for tags of the techniques in MISP to produce a weighted feeds.
• Feeds can be enriched by Cortex analyzers.
• Export enriched feeds to SIEM.
• Automate by a cURL command.

26. What is a threat intelligence platform?
•A threat intelligence platform or TIP facilitates the collection,
aggregation and correlation of threat data from multiple sources
in real time.
•This helps analysts identify threats that are relevant to their
organization.

27. •Traditionally sharing threat data is a manual process: through
email, spreadsheets or a ticketing portal.
•This approach does not scale.
•However, the use of APIs allow for the automation of actions
without direct user involvement.

28. •The TIP makes it easier to share threat intelligence with other
stakeholders.
•The data that is collected can be used to enrich and
contextualize other alerts in your security stack.

29. •TIPs use APIs to generate Whois information, reverse IP lookup,
name servers, domain blocklists, etc.
•The TIP automatically analyzes the content of threat indicators to
identify a threat actor's tactics, techniques and procedures (TTPs).

30. https://github.com/MISP/MISP

47. A fusion of anomaly based detection, shared intelligence feeds and counterintelligence derived from deception technology.
Synergetic Intelligence Automation
Environmental Intelligence connects the
other intelligences together.
Curated intelligence feeds ( global
and community) enrich detection..
Proactive Intelligence gives a targeted
and actionable defense recipe.
Sauce
Crust
Toppings

51. https://github.com/MISP/MISP

52. https://attack.mitre.org/beta/groups/

54. • Research APT groups that target your industry.
• Make a heat map using MITRE ATT&CK tools to see which techniques
were most likely.
• A single color may work better than stop light protocol colors.
• Assign scores to each APT group and layer them.
• Place focus on the beginning of the kill chain before persistence.
• Identify log sources of the highest scoring techniques.
• Examine log sources to see what gaps are present.
• Search for tags of the techniques in MISP to produce a weighted feeds.
• Feeds can be enriched by Cortex analyzers.
• Export enriched feeds to SIEM.
• Automate by a cURL command.
• Python can also be integrated.

56. https://github.com/S1lv3rL10n/Talks